On Wednesday, July 13, 2016 01:01:13 pm Eric Rescorla wrote: > It's natural to pick the cipher suite first and then look for the key_share > extension, so if, for instance, you pick a PSK-only cipher suite, then you > wouldn't look for the key_share.
Agreed. That's why I'm ok with the current "no alternative cipher suite is available" qualification. If the extension never comes up, then not giving a specific error for it is allowed. On Wednesday, July 13, 2016 10:43:58 am David Benjamin wrote: > To be clear, I am not at all opposed to useful errors or strict policing of > what the peer sends. [...] > Complexity is the currency we pay for adding things. I very much agree. Our debate hinges on risk assessment, which gets admittedly hard when talking about unknown future implementations. ;) Essentially, the design philosophy I and Hubert are advocating involves mandatory validation of inputs by all implementations such that we focus on avoiding divergence from what we all agree to in the spec, rather than always try and use our imagination to enumerate each individual screw up that could be made. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
